From 673e2e23ec8f584f3c49dfbd12f8a5f7e384c3c7 Mon Sep 17 00:00:00 2001
From: Bradley Reynolds <bradley.reynolds@tailstory.dev>
Date: Thu, 15 Jan 2026 02:09:21 +0000
Subject: [PATCH] Add zizmor pre-commit hook

Signed-off-by: Bradley Reynolds <bradley.reynolds@tailstory.dev>
---
 .github/workflows/dependency-review.yaml   |  2 ++
 .github/workflows/python-ci.yaml           |  4 +++-
 .github/workflows/python-publish-pypi.yaml |  2 ++
 .pre-commit-config.yaml                    | 11 ++++++++++-
 noxfile.py                                 |  2 +-
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index 26c2fbf..52ae787 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Dependency Review
         uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
diff --git a/.github/workflows/python-ci.yaml b/.github/workflows/python-ci.yaml
index 9bedb68..05303ed 100644
--- a/.github/workflows/python-ci.yaml
+++ b/.github/workflows/python-ci.yaml
@@ -8,7 +8,6 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   lint:
@@ -91,6 +90,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [test]
     if: ${{ always() }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/python-publish-pypi.yaml b/.github/workflows/python-publish-pypi.yaml
index dff4982..b8d04bb 100644
--- a/.github/workflows/python-publish-pypi.yaml
+++ b/.github/workflows/python-publish-pypi.yaml
@@ -22,6 +22,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Build and inspect Python 🐍 package 📦
         uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 129c12b..b252bad 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,9 @@
 repos:
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
+
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
     hooks:
@@ -6,9 +11,13 @@ repos:
       - id: check-merge-conflict
       - id: check-toml
       - id: check-yaml
-      - id: check-json
       - id: trailing-whitespace
         args: [ --markdown-linebreak-ext=md ]
       - id: mixed-line-ending
         args: [ --fix=lf ]
       - id: end-of-file-fixer
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: 7fc963270df722f37707d47ff41265fe8f460822  # frozen: v1.20.0
+    hooks:
+      - id: zizmor
diff --git a/noxfile.py b/noxfile.py
index 6634a99..be60d21 100644
--- a/noxfile.py
+++ b/noxfile.py
@@ -33,7 +33,7 @@ def tests(session: nox.Session) -> None:
 @nox.session
 def lints(session: nox.Session) -> None:
     """Run lints."""
-    session.run("pre-commit", "run", "--all-files")
+    session.run("prek", "run", "--all-files")
     session.run("ruff", "check", "--fix", ".")
     session.run("ruff", "format", ".")
     session.run("mypy", "--strict", "src/")